Find the answer to your Linux question:
Results 1 to 8 of 8
hy people, all the servers are sles8 with the lastest version of sshd from you. I have a problem with sshd autentication with public keys, the thing is i need ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2005
    Posts
    6

    configuring sshd with pub keys problem


    hy people,

    all the servers are sles8 with the lastest version of sshd from you.

    I have a problem with sshd autentication with public keys, the thing is i need to use scp in scripts without being asked for passwords thats why i am using pub keys,
    in our development machines(i am the admin) i have used pub keys with out problem, but now in produciton servers(im not the admin) its not working, it asks all the time for password input, the thing is i only have a normal user in the 2 production boxes and this is what i have done:

    created a key pair:
    ssh-keygen -t rsa

    .ssh]$ ls
    id_rsa id_rsa.pub

    lauched:
    ssh-copy-id -i id_rsa.pub bebe@172.29.xx.xx

    and checked in the other machine the authorized_keys was created:

    /.ssh> more authorized_keys
    ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAo5SbiJdj4Njmwwa3Tz9ozK pgMbNywR7+FmEDlxXk2+XC
    ec/kVWYfzK6/Ig2CzFkybTbLq2K2Gwb6L8uQ4v8rGgS1ZRdi9YonEaP0CUfODg gXZ6EgYXdIrGvh6dIh
    UCIa1u+QA7qFWvpdH2H7ub9GdK+= bebe @x.x.x.x

    then ssh to the machine bebe@172.29.xx.xx
    and it asks for a password all the time, this procedure works perfect in my machines, but not in production and i cant talk with the admins.

    so i was looking for places you could block public key authetication, i have looked in sshd_config and pub auth is on:

    RSAAuthentication yes
    PubkeyAuthentication yes
    AuthorizedKeysFile .ssh/authorized_keys

    the pam sshd config is like this:

    /etc/pam.d> more sshd
    #%PAM-1.0
    auth required pam_unix2.so # set_secrpc
    auth required pam_nologin.so
    auth required pam_env.so
    auth required /lib/security/pam_tally.so onerr=fail no_magic_root
    account required /lib/security/pam_tally.so deny=10 reset no_magic_root
    account required pam_unix2.so
    account required pam_nologin.so
    account required pam_laus.so detach
    password required pam_pwcheck.so
    password required pam_unix2.so use_first_pass use_authtok
    session required pam_unix2.so none
    session required pam_limits.so
    session optional pam_laus.so



    So i have a couple of questions where can you block pub auth for ssh apart from sshd_Config?? any ideas??

    Is there another way of moving files from one machine to another without beeing asked for passwords(or the password can go in the script)???, cant use nfs or install anything strange in the machine any idea???

    Help needed


    THNXX!!







    /pam.d> more sshd
    #%PAM-1.0
    auth required pam_unix2.so # set_secrpc
    auth required pam_nologin.so
    auth required pam_env.so
    auth required /lib/security/pam_tally.so onerr=fail no_magic_root
    account required /lib/security/pam_tally.so deny=10 reset no_magic_root
    account required pam_unix2.so
    account required pam_nologin.so
    account required pam_laus.so detach
    password required pam_pwcheck.so
    password required pam_unix2.so use_first_pass use_authtok
    session required pam_unix2.so none
    session required pam_limits.so
    session optional pam_laus.so

  2. #2
    Linux User DThor's Avatar
    Join Date
    Jan 2006
    Location
    Ca..na...daaa....
    Posts
    319
    ssh should be the way to go, for security and convenience.

    As far as your problem - you don't mention it so I'll bring it up - you've verified that the private key is owned by the same user and the permissions are correct(rw *only* by user)? I know that's what ssh-copy-id is supposed to handle, but I'm wondering if differing userids might be at the root of this.

    DT

  3. #3
    Just Joined!
    Join Date
    Dec 2005
    Posts
    6
    thnx for tha answer, the perms look ok have a look:

    bebe@EMAMEL506PRU:~/.ssh> ls -l
    total 4
    -rw------- 1 bebe spresogp 232 mar 3 11:13 authorized_keys


    but what i have seen is when i log on is not accessing the .ssh directory:

    i do a ls -lua to the .ssh dir and it doesnt get modified whe i log on :$$


    i cant seen to see what the prob is.

  4. #4
    Linux User DThor's Avatar
    Join Date
    Jan 2006
    Location
    Ca..na...daaa....
    Posts
    319
    OK, next step is to try using the -v param with ssh - verbose login. It steps through the login process and will say when it doesn't find files/keys/auth.

    ssh -v remotesystem

    Best to approach this methodically rather than assume something is blocked.

    DT

  5. #5
    Just Joined!
    Join Date
    Dec 2005
    Posts
    6
    thnx for the -v tip:

    What i get related to pubkey is this:

    27864: debug1: authentications that can continue: publickey,password
    27864: debug1: next auth method to try is publickey
    27864: debug1: try privkey: /home/bebe/.ssh/identity
    27864: debug1: try pubkey: /home/bebe/.ssh/id_rsa
    27864: debug1: authentications that can continue: publickey,password
    27864: debug1: try privkey: /home/bebe/.ssh/id_dsa
    27864: debug1: next auth method to try is password
    bebe@emamel506pru's password:


    but i cant w0rk out whats the prob here?? why doesnt it like the pubkey auth??

  6. #6
    Linux User DThor's Avatar
    Join Date
    Jan 2006
    Location
    Ca..na...daaa....
    Posts
    319
    That's a very good question. I'm starting to run out of ideas this end. At least you know it's unlikely anything external to ssh is somehow blocking stuff -it's talking, it's finding the key, and it's failing and moving on, as it should.

    Every time this sort of thing has happened to me in the past, it's been an oopsie on my part, either an oversight or just plain screwup. Personally, I would rename all .ssh directories both ends and just start from scratch - this time doing it *manually* by creating keys and not using the ssh-copy-id util(it should work, but I'm just trying to minimize variables).

    Other potential issues could be different versions of ssh - you mention sles8 which is somewhat old right now. I'm wondering if the version there isn't compatible with the other versions you're running? Once you've determined the versions everywhere, you might want to google that aspect. I seem to recall all sorts of yammering about the open-ssh and the commercial version having patent issues, seems to have forked properly now. Anyway, FWIW, check out these two pages - ignore the cygwin aspect of one of them for windows - they both talk about mixing and matching ssh, open-ssh, and different, more manual approachs to the setup.

    http://www.mines.edu/~gmurray/HowTo/sshNotes.html
    http://www.arches.uga.edu/~pkeck/ssh/

    Good luck!

    DT

    [EDIT] - Silly question - the userid is the same on both systems, right? If they're different, you *cannot* use keys - you'll need to use keyboard-password.

  7. #7
    Just Joined!
    Join Date
    Dec 2005
    Posts
    6
    just to test out i tried out using pubkey the otherway round, before i was triying from box 1 to 2 now i have tried 2 to 1 and it works ok! :***, but i need it the other way round, but its so strange i dont understand, i have reviewd all the config files ssh_config, sshd_config and /etc/pam.d/ssh and the only diference is in sshd_config in machine 2 it has #protocol 2 only, but that should make no diferrence because when i connect from 2 to 1 i use protocol 2 to connect with no probs, so the mistery cotinues....

    25036: debug1: authentications that can continue: publickey,password
    25036: debug1: next auth method to try is publickey
    25036: debug1: try privkey: /interfaces_mqgp/.ssh/identity
    25036: debug1: try pubkey: /interfaces_mqgp/.ssh/id_rsa
    25036: debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x8095730 hint 1
    25036: debug1: read PEM private key done: type RSA
    25036: debug1: ssh-userauth2 successful: method publickey
    25036: debug1: channel 0: new [client-session]

    it Worked! but the other way round ;D


    Thnx for your help.

  8. #8
    Linux User DThor's Avatar
    Join Date
    Jan 2006
    Location
    Ca..na...daaa....
    Posts
    319
    Did you compare the versions of ssh? It's possible one is significantly behind the other - one is backward compatible, the other isn't forward compatible. Could be the type of encryption.

    DT

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •